CVE-2020-7962

Name of the Vulnerable Software and Affected Versions One Identity Password Manager version 5.8

Description An issue was discovered in One Identity Password Manager where an attacker could enumerate valid answers for a user. This is possible because the HTTP response content returns 'WRONG ID' only when the answer is incorrect, allowing an attacker to detect a valid answer and reuse it later for a password reset on a chosen password.

Recommendations For One Identity Password Manager version 5.8, consider restricting access to the password reset functionality until a patch is available. As a temporary workaround, modify the HTTP response content to not disclose whether the answer is correct or not, preventing attackers from enumerating valid answers. At the moment, there is no information about a newer version that contains a fix for this vulnerability.